1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| | Fix CVE-2017-11541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541
Patch copied from upstream source repository:
https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280
From 21d702a136c5c16882e368af7c173df728242280 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Tue, 7 Feb 2017 11:40:36 -0800
Subject: [PATCH] CVE-2017-11541: In safeputs(), check the length before
checking for a NUL terminator.
safeputs() doesn't do packet bounds checking of its own; it assumes that
the caller has checked the availability in the packet data of all maxlen
bytes of data. This means we should check that we're within the
specified limit before looking at the byte.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
---
tests/TESTLIST | 1 +
tests/hoobr_safeputs.out | 2 ++
tests/hoobr_safeputs.pcap | Bin 0 -> 88 bytes
util-print.c | 2 +-
4 files changed, 4 insertions(+), 1 deletion(-)
create mode 100644 tests/hoobr_safeputs.out
create mode 100644 tests/hoobr_safeputs.pcap
diff --git a/util-print.c b/util-print.c
index 394e7d59..ec3e8de8 100644
--- a/util-print.c
+++ b/util-print.c
@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
{
u_int idx = 0;
- while (*s && idx < maxlen) {
+ while (idx < maxlen && *s) {
safeputchar(ndo, *s);
idx++;
s++;
--
2.14.1
|